We are running a couple Coldfusion 9.0.1 servers with all the latest hotfixes and updates. We also needed secure cookies for these particular servers and we are using JSESSIONID instead of the CFID and CFTOKEN cookies. However, the JSESSIONID cookie was not secure by default and setting it as such isn't so obvious as the other 2.

Everything I read said to update the runtime/bin/jvm.config file with the following option:

-Dcoldfusion.sessioncookie.httponly=true

However, when I restarted Coldfusion, that did not seem to do anything. Hmm... Then I found this: http://livedocs.adobe.com/jrun/4/Programmers_Guide/techniques_servlet13.htm#1154030

and added the following to wwwroot/WEB-INF/jrun-web.xml immediatly after the persistence-config inside the session-config tags:

<cookie-config>

<span style="white-space: pre;"> </span>&lt;cookie-secure&gt;true&lt;/cookie-secure&gt;

</cookie-config>

Restarted Coldfusion, again... Success! Our JSESSIONID cookie is now secure.